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Abstract 

In existing simulation proof techniques, a single step in a lower-level specification may be 
simulated by an extended execution fragment in a higher-level one. As a result, it is cumber- 
some to mechanize these techniques using general purpose theorem provers. Moreover, it is 
undecidable whether a given relation is a simulation, even if tautology checking is decidable 
for the underlying specification logic. This paper studies various types of normed simulations. 
In a normed simulation, each step in a lower-level specification can be simulated by at most 
one step in the higher-level one, for any related pair of states. In earlier work we demonstrated 
that normed simulations are quite useful as a vehicle for the formalization of refinement proofs 
via theorem provers. Here we show that normed simulations also have pleasant theoretical 
properties: (1) under some reasonable assumptions, it is decidable whether a given relation 
is a normed forward simulation, provided tautology checking is decidable for the underlying 
logic; (2) at the semantic level, normed forward and backward simulations together form 
a complete proof method for establishing behavior inclusion, provided that the higher-level 
specification has finite invisible nondeterminism. 
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1 Introduction 



Simulation relations and refinement functions are widely used to prove that a lower-level specifi- 
cation of a reactive system correctly implements a higher-level one Jon94, Lyn96, RE98]. Proving 



soundness and completeness of proof rules for simulation and refinement has attracted the atten- 



tion of many researchers in the past two or three decades [ Mil71 Lam83, Jon85, LT87, 3ta8S, 
KS89| , |KS93| , |Jon90| , |Jon91| , |AL91| , |LV95| . The usefulness of all these proof methods was demon- 
strated by their proposers, who applied them to often highly nontrivial case studies. However, all 
these refinement/simulation proofs were done manually, and they were typically quite long and 
tedious. The field has come to realize that if we want to scale up these methods to larger examples, 
it really matters that the semantical analysis can be carried out with the help of a software tool 
that requires little or no human intervention. This led Wolper [Wol97] to propose the following 
criterion for "formal" methods 

Criterion of Semantical Computational Support: A formal method provides 
semantical computational support of it allows software tools for checking semantical 
properties of specifications. 



Several incomplete refinement /simulation proof rules have been mechanized successfully [ HS V94 , 
NS95, DGRV00| . A mechanization of a complete set of simulation rules is reported by Sogaard- 
Andersen et al. SAGG + 93| , but in this approach the verification process is highly interactive and 
it does not satisfy Wolpcr's criterion of semantical computational support. In fact, we believe 
it will be difficult to efficiently mechanize any of the above mentioned complete proof methods 
using a gener al purpose theorem prover: too much user interaction will be required. Earlier 
|GV98 , Gri00| [Chapter 6], we proposed a proof method based on normed simulations and showed 
that it can be mechanized efficiently using PVS. In the present paper we study the theoretical 
properties of normed simulations. In particular, we establish that normed forward and backward 
simulations together form a complete proof method for establishing behavior inclusion. Before we 
discuss the technical contributions of this paper in more detail, we first describe the problem that 
arises in the mechanization of existing complete proof methods, and how this can be solved using 
normed simulations. 

Technically, a simulation (or refinement) is a relation (or function) R between the states of a 
lower-level specification A and a higher- level specification B, that satisfies a condition like 



(s, u) E R A s ~^*a t 



3v : 



v A (t,v) e R 



(1) 



(If lower-level state s and higher-level state u are related, and in A there is a transition from s to 
t, then there is a matching transition in B from u to a state v that relates to t; see also Figure [l].) 
The existence of a simulation implies that any behavior of A can also be exhibited by B. 




Figure 1: Transfer condition ([!]). 



The main reason why simulations are useful is that they reduce global reasoning about behav- 
iors and executions to local reasoning about states and transitions. However, to the best of our 
knowledge, all complete simulation proof methods that appear in the literature fall back on some 
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form of global reasoning in the case of specifications containing internal (or stuttering) transitions. 
The usual transfer condition for forward simulations |LV95|, for instance, says 



(s,w) 6 R A s ~^*a t => 3 execution fragment a : first (a) = u (2) 

A trace(a) = trace(a) A (t, last (a)) G R 

(Each lower-level transition can be simulated by a sequence of higher-level transitions which, apart 
from the action that has to be matched, may also contain an arbitrary number of internal "r" 
transitions; see also Figure |^.) Thus the research program to reduce global reasoning to local 
reasoning has not been carried out to its completion. In manual proofs of simulation relations, 



u 

X x a x 




Figure 2: Transfer condition 



this is usually not a problem: in practice lower-level transitions are typically matched by at most 
one higher-level transition; moreover humans tend to be quite good in reasoning about sequences, 
and move effortlessly from transitions to executions and back. In contrast, it turns out to be 
rather cu mbersome to formalize arguments involving sequences using existing theorem provers 
[DGM97]. In fact, in several papers in which formalizations of simulation proofs are described, 
the authors only consider a restricted type of si mulation in wh i ch each lo wer-level transition is 
matched by at most one higher-level transition HSV94 , NS95| , DGRVOC ] . However, there are 
many examples of situations where these restricted types of simulations cannot be applied. In 
approaches where the full transfer condition (0) is formalized [ 5AGG + 93 , the user has to supply 



the simulating execution frag ments a to the prover explicitly, which makes the verification process 
highly interac tive. Jonsson | Jon90 | presents a variant of the completeness theorem of Abadi 
and Lamport [AL91] in terms of certain forward and backward simulations in which lower-level 
transitions are matched by at most one higher-level transition. However, his completeness result 
is only partial in the sense that he requires that the higher-level automaton contains no non-trivial 
T-steps. In our view this restriction is problematic, especially in a stepwise refinement approach 
where the higher-level specification in one design step may be the lower-level specification from a 
previous design step. All the complications that we address in our paper are due to the possible 
presence of internal actions in the higher-level automaton. 

In this paper, we study a simulation proof method which remedies the above problems. The 
idea is to define a function n that assigns a norm n(s t, u), in some well-founded domain, to 
each pair of a transition in A and a state of B. If u has to simulate transition s t then it may 
either do nothing (if a is internal and t is related to u), or it may do a matching a-transition, or 
it may perform an internal transition u — * v such that the norm decreases, i.e., 

n(s-^-+t, v) < n(s-^>t,u). 

We establish that normed forward simulations and normed backward simulations together consti- 
tute a complete proof method for establishing trace inclusion. In addition we show how h istory 
and prophecy relations (which are closely related to history and prophecy variables [ AL91 |) can 
be enriched with a norm function, to obtain another complete proof method in combination with 
a simple notion of refinement mapping. 
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The preorders generated by normed forward simulations are strictly finer than the preorders 
induced by Lynch and Vaandrager's forward simulations [LV95|. In fact, we will characterize 
normed forward simulations in terms of branching forward simulations [ GW96| ], and present a 
similar characterization for the backward case. It is possible to come up with a variant of normed 
forward simulation that induces the same preorder as forward simulations, but technically this is 
somewhat more involved [Gri00| [Section 6.5.10]. 

When proving invariance properties of programs, one is faced with two problems. The first 
problem is related to the necessity of proving tautologies of the assertion logic, whereas the second 
manifests in the need of finding sufficiently strong invariants. In order to address the first problem, 



powerful decision procedures have been incorporated in theorem provers such as PVS |ORSH95 



If tautology checking is decidable then it is decidable whether a given state predicate is valid 
for the initial states and preserved by all transitions. The task of finding such a predicate, i.e. 
solving the second problem, is in most cases still the responsibility of the user, even though some 
very pow e rful heuri stics have been devised to support and automate the search [ BLS9(| MBSU9c , 



LBBO01, BGL + 00|. Analogously, if specifications A and B, a conjectured forward simulation 



relation R and norm function n can all be expressed within a decidable assertion logic, and if the 
specification of B only contains a finite number of deterministic transition predicates, then it is 
decidable whether the pair (R, n) is a normed forward simulation. This result, which does not 
hold for earlier approaches such as [ LV95 ], is a distinct advantage of normed forward simulations. 

The idea of using norm functions to prove simulation relations was also developed by Groote 
and Springintveld [GS95 , who used it to prove branching bisimilarity in the context of the process 
algebra [iCKL. However, their norm function is defined on the states of B only and does not 
involve the transitions of A. As a consequence, their method does not always apply to diverging 
processes. Norm functions very similar to ours were also studied by Namjoshi [ Nam97[ . He 



uses them to obtain a characterization of the stuttering bisimulation of Browne et al. |BCG88 



which is the equivalent of branching bisimulation in a setting where states rather than actions 
are labeled [ DNV95| |. Neither Groote and Springintveld |GS95|, nor Namjoshi [Nam97] address 
effectiveness issues. Although we present normed simulations in a setting of labeled transition 
systems, it should not be dif ficult t o transfer our results to a process algebraic se tting su ch as that 
of Groote and Springintveld [GS95] or a state based setting such as Namjo shi's |Nam97 |. Inspired 
by our approach, norm functions have been used by Baier and Stoelinga BS00 | to define a new 
bisimulation equivalence for probabilistic systems. 

In this paper, we onl y present max imally simple examples to illustrate the various defini- 
tions and results. Earlier GV98 , |GriOC|l [Chapter 6], we used normed simulations in a substantial 
case study, namely the verification of the leader election protocol that is part of the IEEE 1394 
"Firewire" standard. This verification has been mechanically checked using pvs.Q 

In the presentation of our results, we will closely follow Lynch and Vaandrager | LV95 | and 
stick to their notations. In fact, our aim will be (amongst others) to derive analogous results 
to theirs, only for different types of simulations. However, we decided not to present normed 
versions of their forward-backward and backward-forward simulations of, since these simulations 
have thus far not been used in practice and technically this would bring nothing new. Apart 
from the notion of a norm function, a major technical innovation in the present paper is a new, 
simple definition of execution correspondence [GSSL93, 3ALL93], and the systematic use of this 
concept in the technical development. Although here we only address simulation proof techniques 
for establishing safety, we expect that based on the execution correpondencc lemma's that we 
prove it will be easy to generalize our results to a setting with liveness properties. We leave it as 
a topic for future research to substantiate this claim. 



1 Actually, we discovered the notion of a normed simulation while formalizing the correctness proof of this leader 
election protocol. 
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2 Preliminaries 



In this section, we briefly recall some basic concurrency theory definitions [ LV95[ . An automaton 
(or labeled transition system) A consists of 

• a (possibly infinite) set states(A) of states, 

• a nonempty set start(A) C states(A) of start states, 

• a set acts(A) of actions that includes the internal (or stuttering) action r, and 

• a set steps(A) C states(A) x acts(A) x states(A) of steps. 

Write s — ^a t as a shorthand for (s,a,t) £ sieps(.A). We let erf(^4), the external actions, denote 
acts(yl) — {r}. An execution fragment of A is a finite or infinite alternating sequence, soaiSia2S2 • • •, 
of states and actions of A, beginning with a state, and if it is finite also ending with a state, such 
that for all i > 0, Sj_i ~^-> s,;. An execution of A is an execution fragment that begins with a start 
state. We denote by execs* (A) and execs (A) the sets of finite and all executions of A, respectively. 
A state s of A is reachable if s occurs as the last state in some finite execution a of A. In this case 
we write reachable{A, s). Also, we write reachable(A) for the set of reachable states of A. 

The trace of an execution fragment a, notation trace{a), is the subsequence of non-r actions 
occurring in a. A finite or infinite sequence /3 of external actions is a trace of A if A has an execution 
a with j3 = trace{a). Write traces* {A) and traces(A) for the sets of finite and all traces of A, 
respectively. Write A <„x B if traces*{A) C traces*(B), and A <t B if iroces(A) C traces(B). 

Suppose A is an automaton, s and i are states of A, and /3 is a finite sequence over ari(yl). 
We say that (s, /3, t) is a move of A, and write s ^^t, or just s £ when A is clear, if A has a 
finite execution fragment a that starts in s, has trace /3 and ends in t. 

Three restricted kinds of automata play an important role in this paper: 

1. A is deterministic if start ( A)\ = 1, and for any state s and any finite sequence (3 over ext(A), 
there is at most one state t such that s t. A deterministic automaton is characterized 
uniquely by the properties that \start(A)\ = 1, every r-step is of the form (s,r, s) for some 
s, and for each state s and each action a there is at most one state t such that s — %a t. 

2. A has finite invisible nondeterminism (fin) if start(A) is finite, and for any state s and any 
finite sequence (i over ext(A), there are only finitely many states t such that s=^>At- 

3. A is a forest if, for each state s of A, there is exactly one execution that leads to s. A forest 
is characterized uniquely by the property that all states of A are reachable, start states have 
no incoming steps, and each of the other states has exactly one incoming step. 

The relation after(A) consists of the pairs (/3, s) for which there is a finite execution of A with 
trace (3 and last state s: 

after (A) = {(/3, s) \ 3a G execs* (A) : trace(a) — (3 and last (a) = s}. 

(Here last denotes the function that returns the last element of a finite, nonempty sequence.) We 
also define past (A) to be the inverse of after (A), past (A) = after (A) -1 ] this relates a state s of A 
to the traces of finite executions of A that lead to s. 

The following elementary lemma by Lynch and Vaandrager | LV95| states that for the restricted 



kinds of automata defined above, the relations after and past satisfy certain nice properties. 
Lemma 2.1 

1. If A is deterministic then after(A) is a function from traces*(A) to states(A). 

2. If A has fin then after [A) is image-finite, i.e., each trace in the domain of after(A) is only 
related to finitely many states. 

3. If A is a forest then past(A) is a function from states(A) to traces*{A). 



G 



3 Step Refinements and Execution Correspondence 



In this section, we present step refinements, the simplest notion of simulation that we consider in 
this paper. In order to prove soundness of step refinements, we also introduce the auxiliary notion 
of execution correspondence. This notion plays a key role in this paper; the technical lemmas that 
we prove in this section will also be used repeatedly in subsequent sections. 



3.1 Step Refinements 

Let A and B be automata. A step refinement from A to B is a partial function r from states {A) 
to states (B) that satisfies the following two conditions: 

1. If s G start(A) then s G domain(r) and r(s) G start(B). 

2. If s — t A s G domain(r) then t G domain(r) and 

(a) r(s) = r(t) A a = r, or 

(b) r(s)^ B r(t). 

Note that, by a trivial inductive argument, the set of states for which r is defined contains all the 
reachable states of A (and is thus an invariant of this automaton). We write A <r B if there 
exists a step refinement from A to B. 

As far as we know, the notion of step refinements was first proposed by Nipkow and Slind 



| NS95 1 . However, if we insist on the presence of stuttering steps s s for each state s (a 
common assumption in models of reactive systems) then clause (2a) in the above definition becomes 
superfluous and the notion of a step refinement reduces to that of a homomorphism between 



reachable subautomata |Gin68|. Step refinements are slightly more restrictive than the possibility 



mappings of Lynch and Tuttlc | LT87| (called weak refinements by Lynch and Vaandrager |LV95|) 



In the case of a possibility mapping each (reachable) step of A may be matched by a sequence of 
steps in B with the same trace. This means that in the above definition condition (2) is replaced 
by: 

2. If s — t A s G domain(r) then t G domain(r) and B has an execution fragment a with 
first (a) — r(s), trace(a) — trace(a) and last (a) = r(t). 

Observe that, unlike step refinements, possibility mappings do not reduce global reasoning to local 
reasoning. 

Example 3.1 Figure || illustrates the notion of a step refinement. Note that the r-steps in A are 
not matched by any step in B. Also the c-step in A is not matched by any step in B: both source 
and target states of this step are outside the domain of the step refinement. This is allowed since 
both states are unreachable. Observe that there is no step refinement from B to A, but that there 
exists a possibility mapping from B to A. 

Figure || gives another example. In this case there is a step refinement from A' to B' but not 
from B' to A' . There is not even a possibility mapping from B' to A' . 

The following proposition states a basic sanity property of step refinements. 

Proposition 3.2 <r is a preorder (i.e., is transitive and reflexive). 

Proof: The identity function from states(A) to itself trivially is a step refinement from A to itself. 
Hence <r is reflexive. Transitivity follows from the observation that if r is a step refinement from 
A to B and r' is a step refinement from B to C, then the function composition r 1 o r is a step 
refinement from A to C. H 
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Figure 3: A step refinement. 




A' B' 



Figure 4: Another step refinement. 



3.2 Execution Correspondence 

If there exists a step refinement from A to B then we can construct, for each execution fragment 
of A, a corresponding execution fragment of B with the same trace. The notion of 'corresponding' 
is formalized below. 

Suppose A and B are automata, R C states(A) x states (B), and a = soaiSia2S2 ■ • ■ and 
a' = U0&1U1&2U2 • • ■ are execution fragments of A and B, respectively. Let index(a) and index(a') 
denote the index sets of a and a'. Then a and a' correspond via R and are R-related, notation 
(a, a') 6 R, if there exists an index relation over R, i.e., a relation / C index(a) x index{a') such 
that (1) if two indices are related by / then the corresponding states are related by R; (2) / is 
monotone; (3) each index of a is related to an index of a' and vice versa; (4) sides of "squares" 
always have the same label and sides of "triangles" are labeled with r. Formally we require, for 

s index(a) and G index (a 1 ), 

1. G I (suuj) e R 

2. (i,j)elA(i',j')€lM<i' j<f 

3. I and I^ 1 are total 
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4. elA(i + l,j + l) el => a i+1 = b j+1 

e/A(i+l,j) el => a l+l =r 

el a(*,j + i) el => b J+1 = r 

We write (^4, B) e R if for every execution a of A there is an execution a 1 of B such that 
(a, a') € i?, and [A, B] e R if for every finite execution a of A there is a finite execution a' of _B 
with (a, a') G -R. Figure ^| illustrates the correspondence between two executions of automata A 



and B from Figure B[ 

s.? s4 
• — — . 



uO ^ u2 T w2 x w2 T w2 



Figure 5: Execution correspondence. 



Another notion of correspondence has been presented by Sogaard-Andersen, Lynch et al. 
]GSSL93| , |SALL93| and formalized by Mueller jMue98| . Within the theory of I/O automata, 



execution correspondence plays a crucial role in proofs of preservation of both safety and liveness 
properties. Our notion is more restrictive than earlier work [GSSL93, 3ALL93], but technically 
simpler. Moreover it has the advantage that it preserves 'until' properties. In this paper, we only 
study safety properties and it suffices to know that corresponding executions have the same trace. 
The latter fact is established in the next lemma. 

Lemma 3.3 (Corresponding execution fragments have the same trace) 

1. Suppose I is an index relation as above and G /. Then trace{s$a\Si ■ ■ ■ OiSi) = 
trace{uob\ux ■ ■ ■ bjUj). 

2. If (a, a') G R then trace(a) = trace(a'). 

Proof: For (1), suppose G /. By induction on i+j we prove 

trace(soaisi ■ ■ ■ aiSi) = trace(uob\ui ■ ■ ■ bjUj). 

If i + j = then both i and j are 0. Clearly, trace(so) = trace(uo) = A. 

For the induction step, suppose i + j > 0. For reasons of symmetry we may assume, without 
loss of generality, that i > 0. Let j' be the largest index with j' < j and (i — l,j') G /. (By 
monotonicity, i — 1 can only be related to indices less than or equal to j, and by totality there is 
at least one such an index.) We distinguish between three cases: 

1. j' — j. Then by condition (4b), <Zi = r. By induction hypothesis, 

trace(soa 1 si ■ ■ ■ aj_is,_i) = trace(uobiUi ■ ■ • bjUj). 

Hence trace{sQaiS\ ■ ■ ■ a,Sj) = trace(uobiUi ■ ■ ■ bjUj). 

2. j' = j — 1. Then by condition (4a), Oj = bj. By induction hypothesis, 

trace{soa\s\ ■ ■ ■ aj_iSj_i) = trace(uob\U\ ■ ■ ■ bj-iUj-i). 
Hence trace{soa\S\ ■ ■ ■ ajSj) = trace(uobiu\ ■ ■ ■ bjUj). 
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3. j' < j — 1. Then by conditions (2) and (3), — 1) E I. By condition (4c), this implies 
bj = t. By induction hypothesis, 



trace(soaiSi ■ ■ ■ aiSi) — trace(uobiUi ■ ■ ■ bj-iUj-i). 

Hence trace{soa\S\ ■ ■ ■ aiSi) = trace(uobiUi ■ ■ ■ bjUj). 

This completes the proof of the induction step. 

For (2), suppose that (a, a') S R. Then there exists an index relation / that relates a and a' . 
Using (1) and the fact that both / and i _1 are total, it follows that each finite prefix of trace(a) 
is also a finite prefix of trace(a'), and vice versa. This implies trace(a) = trace(a'). U 

The next corollary will be used repeatedly in the rest of this paper. It states that in order 
to prove trace inclusion between automata A and B it suffices to find for each execution of A a 
corresponding execution of B. Depending on whether one wants to prove inclusion of all traces or 
of finite traces only, a stronger respectively weaker type of execution correspondence is required. 

Corollary 3.4 (Execution correspondence implies trace inclusion) 

1. If(A,B) e R then [A, B] 6 R. 

2. If [A, B]e R then A <* T B. 

3. If (A, B) 6 R then A < T B. 

Proof: Statement (1) follows from the definitions. Statements (2) and (3) follow immediately 



from Lemma 3.3 and the definitions. 



3.3 Soundness and Partial Completeness 

The next theorem states that if there is a step refinement from A to £?, it is possible to construct, 
for each execution of A, a corresponding execution of B. Using Corollary 3.4, this implies that 
step refinements constitute a sound technique for proving trace inclusion. In addition, the next 
theorem also allows us to use step refinements as a s ound technique for proving implementation 
relations between live automata, as in previous work GSSL93 , 5ALL93 , Muc9£ | . 

Theorem 3.5 (Soundness of step refinements) 

If r is a step refinement from A to B then (A, B) G r. 

Proof: Suppose r is a step refinement from A to B. Let a = sqOiSi ■ ■ ■ be an execution of A. 
Inductively, we define an execution a' = u &iUi ■ ■ ■ of B and an index relation I such that a and 
a' are r-related via /. 

To start with, define uq = r(so) and declare (0, 0) to be an element of /. 

Now suppose (i, j) € / and i is a nonfinal index of a. We distinguish between two cases: 

1. If r(si) — r(s i+ i) then define bj + i = fl^+i, = r(s i+ i), and declare (i + 1, j + 1) to be 
an clement of /; 

2. otherwise, declare (i + l,j) to be an element of /. 

By construction, using the defining properties of a step refinement, it follows that / is an index 
relation. This implies (^4, B) S r. H 

Step refinements alone do not provide a complete method for proving trace inclusion. There 
is a partial completeness result, however. 

Theorem 3.6 (Partial completeness of step refinements) 

Suppose A is a forest, B is deterministic and A <»t B. Then A <r B. 
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Proof: The relation r = after [B) o past (A) is a step refinement from A to B. I 

Actually, we can even slightly strengthen the above theorem. It suffices to assume that A 
restricted to its reachable states is a forest, and that B restricted to its reachable states is deter- 
ministic. In Figure |^, automaton A restricted to its reachable states is a forest and automaton 
B is deterministic. As we observed already, there is a step refinement from A to B. Even if we 
restrict to reachable states, automaton B is not a forest and automaton A is not deterministic. 
As we observed, there is no step refinement from B to A. 



In practice, the preconditions of Theorem B.6 are seldom met. The higher-level specification 



often is deterministic, but it rarely occurs that the lower-level specific ation is a fores t . Neverth eless, 



step refinements have been used in several substantial case studies [HSV94, NS95, DGRVOC] 



4 Normed Forward Simulations 

Even though there exists no step refinement from automaton B' to automaton A' in Figure |J, these 
automata do have the same traces. By moving from functions to relations it becomes possible to 
prove that each trace of B' is also a trace of A'. This idea is formalized in the following definition. 

A normed forward simulation from A to B consists of a relation / C states(A) x states (B) and 
a function n : steps (A) x states (B) S, for some well-founded set S, such that (here f[s] denotes 
the set {u | (s,u) £ /}): 

1. If s £ start(A) then f[s] n start(B) ^ 0. 

2. If s t A u £ f[s] then 

(a) u £ f[t] A a = t, or 

(b) 3v £ f[t] :u^ B v, or 

(c) 3v £ f[s] : u — ^>b V A n(s -^-> t, v) < n(s -^-> t, u). 

Write A <p B if there exists a normed forward simulation from A to B. 

The intuition behind this definition is that if s — ^At and (s,u) £ /, then either (a) the 
transition in A is a stuttering step that does not have to be matched, or (b) there is a matching 
step in B, or (c) B can do a stuttering step which decreases the norm. Since the norm decreases at 
each application of clause (c), this clause can only be applied a finite number of times. In general, 
the norm function may depend both on the transitions in A and on the states of B. However, 
if B is convergent, i.e., there are no infinite r-paths, then one can simplify the type of the norm 
function (though not necessarily the definition of the norm function itself) to n : states(B) — > S. 



In fact, in the approach of Groote and Springintveld |GS95|, which not always applies to divergent 



processes, the norm function is required to be of this restricted type. 

Example 4.1 In Figure ||, the relation indicated by the dashed lines, together with an arbitrary 
norm function, is a normed forward simulation from B' to A' . 

Consider automata A and B in Figure ||. Let n be the function that assigns norm 1 to state 
sO and norm to all other states of A. Then n together with the relation indicated by the dashed 
lines constitutes a normed forward simulation from B to A. 

Now consider the automata C and D in Figure ^. Let m be a norm function satisfying 

m(sO — ► si, itO) = m(sO — * si, ul) = 1 
m(sO-^s3,uO) = 1 m(sO s3, ul) = 

Then m together with the relation indicated by the dashed lines constitutes a normed forward 
simulation from C to D. It is not hard to see that in this example, where D is not convergent, 
the norm necessarily depends on the selected step in C . 

The example of Figure M also serves to illustrate the difference between normed forward simula- 



tions and the forward simulations that were studied by Jonsson [ Jon90 , Jon91 , Jon94 1 . Essentially, 
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Figure 6: Norm function must take steps of C into account. 

Jonsson's forward simulations are just normed forward simulations, except that there is no norm 
function and condition 2(c) has been omitted. We leave it to the reader to check that there exists 
no forward simulation in this sense from C to D. This is the case even when we add "stuttering" 
r-loops to each state, as required in Jonsson's models. 

The next proposition asserts that normed forward simulations indeed generalize step refine- 
ments. 



Proposition 4.2 A < R B =>• A < F B. 

Proof: Together with an arbitrary norm function, any step refinement (viewed as a relation) is 
a normed forward simulation. H 

The soundness of normed forward simulations is trivially implied by the following lemma and 
Corollary 3.4. 

Lemma 4.3 Suppose (f,n) is a normed forward simulation from A to B, A has an execution 
fragment a with first state s, and u is a state of B with u £ f[s]- Then B has an execution 
fragment a' that starts in u such that (a, a') G /. 

Proof: Let c : steps(A) x states(B) — » {L, C, R} x states(B) be a function such that c(s -^-> t, u) = 
{x,v) and u G f[s] implies 

1. If x = L then u G f[t] A a = r. 

2. If x = C then v G f[t] A u -^ B v. 

3. If x = R then v G f[s] A u — v A n(s -^-» t, v) < n(s -^-> t, u). 

The existence of c, which chooses between a left move (L) of A, a common move (C) of A and B, 
or a right move (R) of B, is guaranteed by the fact that (f,n) is a normed forward simulation. 

Let a = soaiSid2S2 • ■ •. Then s — sq. Inductively, we define a sequence a — zqZ\Zi • • ■ of 
4-tuples in N x N x acts(B) x states(B). The first element in the sequence is zq = (0,0, t,u). If 
z k = {i,j, b, u) is an element of the sequence, and i is a nonfinal index of a, then we define Zk+i 
as follows 



1. 


If c( 


Si — ► s l+1 


u) = 


(L, v) then 


Zk+l 


= (i + 




2. 


If c( 


Si — > S 4+ i 


u) = 


(C, v) then 


Zk+l 


= (i + 


1, j + l,a l+ i,w) 


3. 


If c( 


<H+X 


«) = 


(ii, u) then 


Zk+l 


= («, j 


+ l,r, «). 
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Suppose that both (i,j,b,u) and (i',j,b',u') occur in sequence a. We claim that b = b' and 
it = u' . To see why this is true assume without loss of generality that (i,j,b,u) occurs before 
(i' , j,b' \u'). Now observe that the values of both the first and second component of elements 
in <7 increase monotonically. This means that each successor of (i,j,b,u) up to and including 
(i 1 , j,b' , it') has been obtained from its predecessor by applying rule (1). This implies that the 
the second respectively third components of all elements in the sequence from (i,j,b,u) until 
{%' ,j,b' ,u') coincide. Hence b = b' and u — u' . 

Using this property, we can define for each element (i,j, 6, u) in er, bj = b and Uj = u. Let 
a' = uob\U\b2U2 • ■ ■ and let I — \ 3b,u: (i,j,b,u) occurs in a}. By construction of a, using 

the properties of c, it follows that a' is an execution fragment of B that starts in u, and that I is 
an index relation over /. This implies (a, a') G /. I 



Theorem 4.4 (Soundness of normed forward simulations) 

If f is a normed forward simulation from A to B then (A, B) G / . 



Proof: Immediate from the definitions and Lemma 4.3 



Example 4.5 Consider automata C and E in Figure |7[ There does not exist a normed forward 

uO 

x 

u2 

si 





Figure 7: Difference between forward simulations and normed forward simulations. 

simulation from C to E. Such a simulation would have to relate states sO and uO. But in order 
for E to simulate the step sO— ^ s3, it would also have to relates states sO and u2. But this is 
impossible since from state ul there is no way to simulate the step sO si. 



It turns out that there does exist a forward simulation in Lynch and Vaandrager's sense [LV95] 
from C to E. In the case of a forward simulation, a step of A may be matched by a sequence of 
steps in B with the same trace. This means that in the definition of a normed forward simulation 
condition (2) is replaced by: 

2. If s — t A u G f[s] then B has an execution fragment a with first (a) = u, trace(a) — 
trace(a) and last (a) G f[t\. 

The dashed lines in Figure [7] indicate a forward simulation from C to E. 

The automata A and B in Figure ^ provide us with a similar example: there exists a forward 
simulation from B to A, but no normed forward simulation. 

The difference between forward simulations and normed forward simulations is very similar to 



the difference between Milner's observation equivalence [Mil89| and the branching bisimulation of 



Van Glabbeek and Weijland flGW96fl . In fact, we can characterize normed forward simulations in 



terms of "branching forward simulations" , a notion that is inspired by the branching bisimulations 
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of GW96]. A similar characterization has been obtained by Namjoshi |Nam97| in the setting of 
stuttering bisimulations. 

Formally, a branching forward simulation from A to B is a relation / C states(A) x states(B) 
such that 

1. If s e start(A) then f[s] ("1 start(B) ^ 0. 

2. If s — t and u G f[s] then B has an execution fragment that starts in u and that is 
/-related to s -^-> t. 

The following theorem implies that there exists a normed forward simulation between two 
automata if and only if there is a branching forward simulation between them. 

Theorem 4.6 

1. Suppose (f,n) is a normed forward simulation from A to B. Then f is a branching forward 
simulation from A to B. 

2. Suppose f is a branching forward simulation from A to B . Let n{s -^-> t, u) be if u ^ f[s] 
and otherwise be equal to the length of the shortest execution fragment that starts in u and 
that is f -related to s -^-> t. Then (/, n) is a normed forward simulation from A to B. 

Proof: Part (1) follows by Lemma O. The proof of part (2) is routine. I 



An interesting corollary of Theorem 4.6 is that if there exists a normed forward simulation 
between two automata, there is in fact a normed forward simulation with a norm that has the 
natural numbers as its range. 



The proof that branching bisimilarity is an equivalence is known to be tricky | Bas96 |. Likewise, 
the proof that branching forward simulations induce a preorder is nontrivial. We first need to define 
the auxiliary concept of a reduced index relation and to prove a lemma about it. 

Suppose that a and a' are i?-related via index relation /. We say that I is reduced if the 
following two conditions are satisfied: 

1. If a is finite then / relates the final index of a only to the final index of a' . 

2. / is N-free: G I A (i + 1, j + 1) G / => (i + 1, j) I A (i,j + 1) £ I. 

Observe that if a is finite and / is reduced, then a' is also finite. The following technical lemma 
states that index relations can always be reduced. 

Lemma 4.7 Suppose that a and a' are R-related via index relation I. Then a' has a prefix a" 
that is R-related to a via a reduced index relation J C I. 

Proof: If a is infinite then let a" = a'. If a is finite then let a" be the finite prefix of a' up to 
and including the first state whose index is related by I to the final index of a. 

Inductively we define a sequence a = zqZ\Zi • • • of pairs in N x N. The first element of the 
sequence is zq = (0, 0). If Zk = (i,j) is an element of the sequence and i is a nonfinal index then 
we define Zk+i as follows: 

1. + + el => z k+1 = (i + i,j + i) 

2. (i + l,i) el A + + 0/ z k+l = 

3. + el A (t + l.j + 1) 0/ => z k+l = (i,j + l) 
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Note that since / is an index relation, Zk+i is properly defined. Let J — {{i,j) \ (i,j) occurs in er}. 
It is routine to check that J C I, that a and a" are i?-related via J, and that J is reduced. A 
tricky point is the totality of J and J -1 . We prove that J is total by contradiction. Suppose that 
J is not total. Let i be the smallest index of a with J[i] — 0. Let j be the smallest index of a' 
with E / (j exists since index relation / is total). Let I be the maximal index of a' with 

(i — 1,1) E J (there is a maximal index since (i — 1,1) E J implies (i — 1,1) E /, which implies 
I < j by monotonicity of index relation /). Let Zk = (i ~ 1, I). Since J[i] — 0, Zk+i — (i — l,l + 1). 
Hence (i — 1,1 + 1) E J. But this contradicts the fact that / be the maximal index of a' with 
e J. 

In a similar way also the totality of J -1 and N-freeness can be proved by contradiction. I 

We are now prepared to prove that branching forward simulations (and hence also normed 
forward simulations) induce a preorder. 

Proposition 4.8 <p is a preorder. 

Proof: For reflexivity, observe that the identity function from states (A) to itself is a branching 
forward simulation from A to itself. 

For transitivity, suppose / and g are branching forward simulations from A to B and from B 
to C, respectively. We claim that g o / is a branching forward simulation from A to C. It is trivial 
to check that g o / satisfies condition (1) in the definition of a branching forward simulation. For 
condition (2), suppose that s —^a t A u E (g o f)[s]. Then there exists a state w oi B such that 
w E /[s] and u G Hence there is an execution fr agm ent a starting in w such that s -^-> t and 



a are /-related via some index relation /. By Lemma 4.7, we may assume that I is reduced. Also 



there is an execution fragme nt a ' starting in u such that a and a 1 are (/-related via some index 



relation J. Again by Lemma L7, we may assume that J is reduced. Using the fact that both I 
and J are reduced, it is routine to check that s -^-» t and a' are g o /-related via index relation 
Jo/. Thus g o / satisfies condition (2) in the definition of a branching forward simulation. H 



Variants of the partial completeness result below appear in several papers [ Jon87 LV95 . Since 
higher-level specifications are often deterministic, this result explains why in practice (normed) 
forward simulations can so often be used to prove behavior inclusion. 

Theorem 4.9 (Partial completeness of normed/branching forward simulations) 
If B is deterministic and A <»t B then A <p B. 

Proof: The relation / = after [B) o past(A) is a branching forward simulation from A to B. I 



It is interesting to note that there is one earlier result [LV95| concerning forward simulations 
that does not carry over to the normed/branching simulations of this paper. This result, Propo- 
sition 3.12, states that if A is a forest and A <p B then A <r B. The automata C and D of 
Figure || constitute a counterexample. Actually, t he sam e Proposition 3.12 also does not carry 



over to the setting of timed automata used earlier [ LV9€ ] 



5 Normed Backward Simulations 

As we observed, there exists no normed forward simulation from automaton B to automaton A in 
Figure [| even though both automata have the same traces. Also, there does not exist a normed 
forward simulation from automaton C to the trace equivalent automaton E in Figure ^. In both 



cases a forward simulation in Lynch and Vaandrager's sense |LV95] exists. However, the example 
in Figure || below shows that also forward simulations do not yet provide us with a complete 
method for proving trace inclusion. It is well-known from the literature that completeness can be 
obtained by adding some form of backward simulation. 

Example 5.1 There exists no (normed/branching) forward simulation from automaton C to 
automaton F in Figure |8|. The relation indicated by the dashed lines fails since from state uO the 
6-step from sO can not be simulated, whereas from u2 the a-step from sO can not be simulated. 
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Figure 8: The need for backward simulations. 



In many respects, backward simulations are the dual of forward simulations. Whereas a for- 
ward simulation requires that some state in the image of each start state should be a start state, 
a backward simulation requires that all states in the image of a start state be start states. Also, 
a forward simulation requires that forward steps in the source automaton can be simulated from 
related states in the target automaton, whereas the corresponding condition for a backward simu- 
lations requires that backward steps can be simulated. However, the two notions are not completely 
dual: the definition of a backward simulation contains a nonemptiness condition, and also, in order 
to obtain soundness for general trace inclusion, backward simulations also require a finite image 
condition. The mismatch is due to the asymmetry in our automata between the future and the 
past: from any given state, all the possible histories are finite executions, whereas the possible 
futures can be infinite. 

Formally, we define a normed backward simulation from A to B to be a pair of a total relation 
b C states(A) x states(B) and a function n : (steps(A) U start(A)) x states(B) — > S, for some 
well-founded set S, satisfying 

1. If s G start(A) A u G b[s] then 

(a) u 6 start (B), or 

(b) 3v G b[s] : v — ^>b u A n(s,v) < n(s,u). 

2. If t— ^ A s A u G b[s] then 

(a) u 6 b[t] A a = r, or 

(b) 3v G b[t] : v — ^b u, or 

(c) 3v G b[s] : v —^b u A n(t -^-» s, v) < n(t s, u). 

Write A <b B if there is a normed backward simulation from A to B, and A <;b B if there is a 
normed backward simulation from A to B that is image-finite. 

Example 5.2 In Figure ||, the relation indicated by the dashed lines is a normed backward 
simulation from C to E, for arbitrary norm functions. It is not difficult to construct normed 
backward simulations from automaton B to automaton A in Figure g|, and from automaton C to 
automaton E in Figure 0. 

Figure |9| illustrates the difference between <b and <jb< Relation states(G) x states(H) together 
with an arbitrary norm function constitutes a normed backward simulation from G to if. We claim 
that no image-finite normed backward simulation exist. Because suppose that b is such a relation. 
Then, for all i,j € N with i > 0, 

(si, uj) G 6 => (si — 1, uj + 1) G b 
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Figure 9: No image-finite normed backward simulation. 



This implies that 

(si, uj) G b => (sO, ui + j) E b 

Since each state si is related to at least one state sj, it follows that state sO is related to infinitely 
many states, which is a contradiction. 

The following proposition states some trivial connections between the preorders induced by 
normed backward simulations and step refinements. 

Proposition 5.3 

1. If all states of A are reachable and A <r B then A <;b B. 

2. If A < iB B then A < B B. 

Proof: Trivial. U 
The next lemma is required to prove soundness of normed backward simulations. 

Lemma 5.4 Suppose (b, n) is a normed backward simulation from A to B , A has a finite execution 
fragment a with last state s, and u is a state of B with u £ b[s]. Then B has a finite execution 
fragment a' that ends in u such that (a, a') G b. Moreover, if a is an execution then a' can be 
chosen to be an execution as well. 



Proof: Similar to the proof of Lemma 4.2 



By Lemma 5.4 and Corollary 3.4, the existence of a normed backward simulation implies 
inclusion of finite traces. Normed backward simulations, however, are in general not a sound 
method for proving inclusion of infinite traces. As a counterexample, consider automata G and 
H from Figure ^. There exists a normed backward simulation from G to H , but the infinite trace 
a w of G is not a trace of H. As is well-known from the literature, a sound method for proving 
inclusion of infinite traces can be obtained by requiring image finiteness of the simulation relation. 

Theorem 5.5 (Soundness of normed backward simulations) 

1. If b is a normed backward simulation from A to B then [A, B] 6 b. 

2. If moreover b is image-finite then (A, B) G b. 



Proof: Statement (1) follows immediately by Lemma 5.4 and the totality of b. In order to prove 



(2), suppose that b is image-finite. Let a be an execution of A. We have to establish the existence 



of an execution a' of B with (a, a') G b. If a is finite then this follows by Lemma 5.4 and the 



totality of b. So assume that a is in finite. We use a minor variation of Konig's Lemma [Knu97] 



presented by Lynch and Vaandrager ||LV95H 
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Let G be an infinite digraph such that (1) G has finitely many roots, i.e., nodes without 
incoming edges, (2) each node of G has finite outdegree, and (3) each node of G is 
reachable from some root. Then there is an infinite path in G starting from some root. 

The nodes of the graph G that we consider are pairs [1, 7) where 7 is a finite execution of B 
and I is an index relation that relates 7 to some finite prefix of a. There is an edge from a node 
(1,7) to a node (I',Y) iff 7 is a prefix of 7' and I' extends / with precisely one element. It is 
straightforward to check that G satisfies the conditions of Konig's Lemma. Hence G has an infinite 
path. Let J be the union of all the index relations occurring on nodes in this path, and let a' be 
the limit of the finite executions of the nodes in this path. Observe that, by image-finiteness of b, 
each index of a occurs in the domain of J. Hence (o, a') G b. U 



The following Proposition 5.6 is in a sense the converse of Proposition 
to that of the corresponding result by Lynch and Vaandrager LV95 1 . 



5.3 



The proof is similar 



Proposition 5.6 

1. If B is deterministic and A <b B then A <r B. 

2. If all states of A are reachable, B has fin and A <b B, then A <;b B. 

Proof: For (1), suppose that B is deterministic and that b is a normed backward simulation 
from A to B. Suppose that s is a reachable state of A. We will prove that b[s] contains exactly 
one element. Since any normed backward simulation that is functional on the reachable states 
trivially induces a step refinement, this gives us A <r B. 

Because b is a normed backward simulation it is a total relation, so we know b[s] contains 
at least one element. Suppose that both u\ E b[s] and U2 S b\s]; we prove u\ = u%. Since s is 
reachable, A has an execution o that ends in s. By Lemma 5.4, B has executions ct\ and 02 
which end in u\ and ui, respectively, such that (o, 01) £ b and (0,0:2) £ b. By Lemma 3.3 , 
trace (a) = trace (ai) — trace (aa). Now u\ — U2 follows by Lemma 2.1(1), using the fact the B is 
deterministic. 

For (2), suppose that all states of A are reachable, B has fin, and 6 is a normed backward 
simulation from A to B. Suppose that s is a state of A. Since s is reachable, there is an execution 



o that ends in s. Let f3 be trace of o. By Lemma 5.4 there exists, for each u S b[s], an execution o„ 
of B that ends in u such that (o, a u ) G b. By Lemma |3.3| , trace(a u ) — f3. Hence b[s] C after{B)[(i\. 
But since B has fin, after {B)\(3\ is finite by Lemma 2.1(2). Hence b is image-finite. H 



Example 5.7 Consider the two automata in Figure fiG. It is easy to see that there does not exist 





Figure 10: Difference between backward simulations and normed backward simulations. 



a normed backward simulation from the first to the seco nd aut omaton. However, there does exist 
a backward simulation in Lynch and Vaandrager's sense LV95|. In such a backward simulation, a 
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step of one automaton may be matched by a sequence of steps in the other automaton with the 
same trace. 



As in the forward case, we will now characterize normed backward simulations in terms of 
"branching backward simulations" , and use this characterization to establish that <b and <ib are 
preorders. 

A branching backward simulation from A to B is a total relation b C states(A) x states(B) 
such that 

1. If s £ start(A) and u G b[s] then B has an execution that ends in u and is 6-related to s. 

2. If t — s and u 6 f[s] then B has an execution fragment that ends in u and is 6-relatcd to 

t ► S. 

Theorem 5.8 

1. Suppose (b, n) is a normed backward simulation from A to B. Then b is a branching backward 
simulation from A to B. 

2. Suppose b is a branching backward simulation from A to B . Let n(s, u) be if s is not a start 
state or u ^ b[s] and otherwise be equal to the length of the shortest execution that ends in 
u and is b-related to s. Furthermore, let n(t s,u) be if u $ f[s] and otherwise equal to 
the length of the shortest execution fragment ending in u that is b-related to t — s. Then 
(6, n) is a normed forward simulation from A to B. 



Proof: Statement (1) follows by Lemma p. % The proof of statement (2) is routine 



As in the forward case, we see that if there exists a normed backward simulation between 
two automata, there is in fact a normed backward simulation with a norm that has the natural 
numbers as its range. 

Proposition 5.9 <b md <;b are preorders. 



Proof: Similar to the proof of Proposition 4.S 



The following partial completeness result is a variation of earlier results [ Jon90 LV95| 



Theorem 5.10 (Partial completeness of normed backward simulations) 
If A is a forest and A <*t B then A <b B. 

Proof: The relation b = after (B) o past (A) is a branching backward simulation from A to B. 



Note that by Proposition 5.6 we can strengthen the conclusion of Theorem 5.10 to A <;b B in 



case B has finite invisible nondeterminism. 

Example 5.11 Consider the automata A' and B' in Figure |]. There exists no normed backward 
simulation from B' to A'. The relation indicated by the dashed lines fails since the backward 
transition from state uO cannot be simulated from the related state sO. Consequently, normed 
backward simulations do not provide a complete proof method for establishing trace inclusion. In 
the next section, we will see that completeness can be obtained by combining normed forward and 
backward simulations. 



6 Normed History Relations 



In this section we define normed histor y relations. These provide an abstract view of the history 
variables of Abadi and Lamport |AL91], which in turn are abstractions of the auxiliary variables 
of Owicki and Gries |OG76 . 
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A pair (r, n) is a normed history relation from A to -B if r is a step refinement from B to A, 
and (r -1 , n) is a normed forward simulation from A to -B. Write A <h -B if there exists a normed 
history relation from A to £>. 

Clearly A <h B implies A <p B and .B <r A. Through these implications, the preorder 
and soundness results for normed forward simulations and step refinements carry over to normed 
history relations. In fact, if (r, n) is a normed history relation from A to B then r is just a functional 



branching bisimulation from i? to A in the sense of Van Glabbeek and Weijland [GW96|. Hence, 
history relations preserve behavior of automata in a very strong sense. Intuitively, there is a 
history relation from A to B if B can be obtained from A by adding an extra state variable that 
records information about the history of an execution. 

Example 6.1 Consider again the automata A' and B' in Figure ||. Together with an arbitrary 
norm function, the dashed lines constitute a normed history relation from B' to A' . Because, as 
we observed, there is no step refinement from B' to A', there exists no normed history relation 
from A' to B' . 

An important example of a history relation is provided by the "unfolding" construction. The 
unfolding of an automaton A, notation unfold(A), is the automaton obtained from A by recording 
the complete history of an execution. Formally, unfold(A) is the automaton B defined by 

• states(B) = execs* (A), 

start(B) = the set of executions of A that consist of a single start state, 

acts(B) = acts {A), and 

for a' , a £ states(B) and a 6 acts(B), a' — ct <^ a = a' a last (a). 
The next proposition relates an automaton to its unfolding. 
Proposition 6.2 unfold(A) is a forest and A <h unfold(A). 

Proof: Clearly, unfold(A) is a forest. The function last which maps each finite execution of A 
to its last state is a step refinement from unfold(A) to A, and the relation last -1 , together with 
an arbitrary norm function, is a normed forward simulation from A to unfold(A). U 



The following completeness theorem, a variation of a result due to Sistla [3is91|, asserts that 
normed history relations together with normed backward simulations constitute a complete proof 
method for establishing trace inclusion. Consequently, also normed forward simulations together 
with normed backward simulations constitute a complete proof method. 

Theorem 6.3 (Completeness of normed history relations and normed backward simulations) 
If A <*t B then there exists an automaton C such that A <h C <b B. 



Proof: Take C = unfold (A). By Proposition 6.2, C is a forest and A <h C. Since A <*t B, 



also C <»t B by soundness of history relations. Next apply the partial completeness result for 



backward simulations (Theorem 5.10) to conclude C <b B 



Observe that if we can assume in addition that B has fin, we may replace <b by <m in the 



conclusion using Proposition 5.6 



Normed forward simulations are equivalent to normed history variables combined with step 
refinements: whenever there is a normed forward simulation from A to B, we can find an interme- 
diate automaton C such that there is a normed history relation from A to C and a step refinement 
from C to B. The converse implication trivially holds since normed history relations and step 
refinements are special cases of normed forward simulations. In order to prove the existence of 
automaton C, we need to define a notion of "superposition" of automata and to prove a technical 
lemma. 

Let R C states(A) x states(B) be a relation with Rfl (start (A) x start (B)) ^ 0. The superpo- 
sition sup(A, B, R) of A and B via R is the automaton C defined by 
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• states(C) = R, 

• start(C) = Rn (start (A) x start(B)), 

• acts(C) = acts(A) (~l acts(B), and 

• for (s, u), (t, v) 6 states(C) and a £ acts(C), (s, u) — v ) & 

a = rAs = tAu — ^> b v 

V a = rAu = wAs — t 

V s — tjiAii — >b v. 

Essentially, the superposition sup(A, B, R) is just the usual parallel composition of A and B with 
the set of states restricted to R. 

Lemma 6.4 Suppose (f,n) is a normed forward simulation from A to B. Let C = sup(A, B , /) 
and let tti and 7:2 be the projection functions that map states of C to their first and second 
components, respectively. Let n' be the norm function given by n'(5,u) = n(8,iT2(u)). Then 
(711,71 ) is a normed history relation from A to C , and n2 is a step refinement from C to B. 

Proof: Straightforward from the definitions. I 



Theorem 6.5 A < F B O (3C : A < H C < R B) 



Proof: Forward implication follows by Lemma S.4, For backward implication, suppose A <h 
C <r B. Then A <p C by the definition of history relations, and C <f B because any step 
refinement is a normed forward simulation. Now A <p B follows by the fact that <p is a preorder. 



Klop and Ariola [ AK96[ [Intermezzo 3.23] state a remarkable result: on a domain of of finitely 



branching process graphs (i.e., automata considered modulo isomorphism) the preorder induced 
by functional bisimulations (i.e., history relations) is in fact a partial order: A <h B and B <h A 
implies A = B. They also present a counterexample to show that the finite branching property is 
needed to prove this result. Below we present a slight generalization of their result AK96| in the 



setting of our paper. It turns out to be sufficient to assume that automata have finite invisible 
nondcterminism (fin). 

Theorem 6.6 Suppose A and B have fin, A <h B and B <h A. Then the reachable subautomata 
of A and B are isomorphic. 

Proof: Suppose that (f,n) is a normed history relation from A to B, and (g,m) is a normed 
history relation from B to A. Because A and B have fin, both start(A) and start(B) are finite. 
Since / is a step refinement, it maps start states of B to start states of A. Using the fact that 
/ _1 is a forward simulation, we infer that / is surjective on start states. Hence | start(B) \ < 
start(A) \. By a similar argument, using the fact that (g,m) is a normed history relation from B 
to A, we obtain | start(A) \ < \ start(B) \. This means that / is also injective on start states. 
Let P be an arbitrary trace of A and B. Using a similar argument as above, we infer 

f (after (A)[f3}) - after(B){0\ 
g(after(B)[f3}) = after(A)[[3] 



Since, by Lemma 2.1(2), both after (A)[(3] and after (B)[fi\ are finite, it follows that 



I after (A)[f3] \ = | after (B)[f3] \ 

This means that / and g are injective on the sets after (B)[(3] and after (A)[f3], respectively. But 
since each reachable state is in a set after (B)[/3] or after (A)[f3), for some [3, it follows that / and 
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g are injective on all states. Now the required isomorphism property follows from the fact that / 
and g are step refinements. I 

Intuitively, one may interpret the above result as follows: if A <h B then B contains as much 
history information as A. If B contains as much history information as A, and A contains as much 
history information as B, then they are equal. 

7 Normed Prophecy Relations 

In this section, we will define normed prophecy relations and show that they correspond to normed 
backward simulations, very similarly to the way in which normed history relations correspond to 
normed forward simulations. 

A pair (r, n) is a normed prophecy relation from A to B if r is a step refinement from B to 
A and (r _1 ,n) is a normed backward simulation from A to B. We write A <p B if there is a 
normed prophecy relation from A to B, and A <;p B if there is a normed prophecy relation (r, n) 
with image-finite. Thus A <jp B implies A <ib B and A <p B, and A <p B implies A <b -B 
and B <p A. Moreover, if all states of A are reachable, B has finite invisible nondeterminism and 
A <p B, then A <;p £?. It is easy to check that the preorder and soundness results for backward 
simulations and refinements carry over to prophecy relations. 



The following lemma is the analogue of Lemma 6.4 in the backward setting. Using this lemma, 
we can prove that normed backward simulations are equivalent to normed prophecy variables 
combined with step refinements. 

Lemma 7.1 Suppose (6, n) is a normed backward simulation from A to B. Let C = sup(A, B, b) 
and let m and 7T2 be the projection functions that map states of C to their first and second 
components, respectively. Let n' be the norm function given by n'(6,u) — n(S, 7r 2 (u)). Then 
(■7Ti, n') is a normed prophecy relation from A to C, and 7r 2 is a step refinement from C to B. If 
b is image- finite then so is tt^ 1 . 

Theorem 7.2 

1. A < B B <^ (3C : A < P C <r B). 

2. A <iB B <^> (3C : A < iP C < R B). 

Proof: Analogous to that of Theorem 6J5, using Lemma I 



We can now prove variants of the well-known completeness result of Abadi and Lamport [ AL91 



Theorem 7.3 (Completeness of normed history + prophecy relations and step refinements) 
Suppose A <»t B. Then 

1. 3C, D : A <h C <p D < R B. 

2. If B has fin then 3C, D : A <h C < iP D < R B. 



Proof: By Theorem 3.S, there exists an automaton C with A <h C <b B. Next, Theorem |7.2| 
yields the required automaton D with C <p D < R B, which proves (1). The proof of (2) is 
similar, but uses Proposition [si]. I 

The following theorem states that <p is a partial order on the class of automata with fin, 
considered modulo isomorphism of reachable subautomata. The proof is analogous to that of 



Theorem 6.6, the corresponding result for normed history relations. 



Theorem 7.4 Suppose A and B have fin, A <p B and B <p A. Then the reachable subautomata 
of A and B are isomorphic. 
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8 Decidability 



Thus far, our exposition has been purely semantic. In the words of Abadi and Lamport [AL91 
"We have considered specifications, but not the languages in which they are expressed. We proved 
the existence of refinement mappings, but said nothing about whether they are expressible in any 
language." In this section, we move to the syntactic world and discuss some decidability issues. 
To this end we have to fix a language for defining automata. The language below can be viewed 



as a simplified version of the 10 A language of Garland et al. [GLV97|. 

We assume an underlying assertion language C which is a first-order language over interpreted 
symbols for expressing functions and predicates over some concrete domains such as integers, 
arrays, and lists of integers. If A is a set of (typed) variables then we write F(X) and E(X) 
for the collection of formulas and expressions, respectively, in which variables from X may occur 
free. An automaton can be described syntactically by first specifying a finite set X of variables, 
referred to as the state variables. For each state variable x we assume the presence of a copy x' , 
called the primed version of x. We write X' for the set {x' \ x e X} and, if is a formula then 
we write </>' for the formula obtained from <j) by replacing each occurrence of a state variable by 
its primed version. The set of states of the automaton is defined as the set of all valuations of the 
state variables in X. The set of initial states is specified by a predicate in F(X), called the initial 
condition. The actions are specified via a finite number of action names with, for each action name 
a, a finite list v of variables called the parameters of a. We assume {v}D X — 0. The set of actions 
of the automaton is defined as the union, for each action name a, of all tuples a(d), where ef is a 
valuation of the parameters v in their respective domains. The transition relation is specified by 
providing, for each action name a with parameters v, a transition predicate in F(XU{v}UX'), i.e., 
a predicate that may contain action parameters as well as primed and unprimed state variables. 



Example 8.1 Below we specify a FIFO channel in IOA syntax [GLV97 



automaton Channel 
states 

buffer: Seq[Nat] 
initial condition 

buffer = {} 
actions 

send(v : Nat) , 
receive (v : Nat) , 
tau 
transitions 

action send(v) 

predicate buffer' = buffer |- v 
action receive (v) 

predicate buffer ~= {} /\ v = head(buffer) 
A buffer' = tail(buffer) 

action tau 

predicate false 



In IOA datatypes are specified using the Larch specification language [ GH93[ |. In the example we 



use the standard finite list datatype, with {} denoting the empty list, I - denotes the opereration 
that appends an element to the end of a list, etc. Transitions are specified in a standard predicative 
style. The example automaton has no r transitions, which is specified by the transition predicate 
false. 

This piece of syntax defines an automaton A with 

• states(A) = N*, 

• start (A) = {A}, 
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• acts(A) = {send(o?), receive(cT) deN}U {r}, 

• steps (A) is the least set that contains the following elements, for all a £ IM* and d £ N, 

send(d) 

a — > a d 

receive(d) 

d a — ► a. 



Now assume that we have specified two automata A and B, using state variables x and y, 
respectively. Let X = {x} and Y — {y}. Assume X n Y = 0. 

A step refinement from A to B can be specified by a formula of the form 6 A y = e , with 
6 £ E(X) and e a list of expressions in E(X) that matches y in terms of length and types. In this 
formula, the first conjunct defines the domain of the step refinement whereas the second conjunct 
defines a map from states of A to states of B by specifying, for each state variable of B, its value 
in terms of the values of the state variables of A. 

A normed forward simulation can be described by a predicate in F(X U Y) together with, for 
each action type a with parameters v, an expression in E(X U {v} U X' U Y) that specifies the 
norm function. In practice, norm functions often only depend on the states of B, which means 
that they can be specified by means of a single expression in E(Y). 

Example 8.2 Consider the following specification, essentially just the chaining of two FIFO 
channels. 

automaton TwoChannels 
states 

buf f erl : Seq[Nat] , 

buffer2: Seq[Nat] 
initial condition 

bufferl = {} A buffer2 = O 
actions 

send(v: Nat) , 

receive (v: Nat) , 

tau 
transitions 

action send(v) 

predicate bufferl' = bufferl I - v A buffer2' = buffer2 
action receive (v) 

predicate buffer2 ~= O A v = head(buf f er2) 

A buffer2' = tail (buf fer2) A bufferl' = bufferl 

action tau 

predicate bufferl "= {} A bufferl' = tail (buf f erl) A 
A buffer2' = buffer2 |- head (buf f erl) 

Let B be the automaton denoted by this specification. It is easy to prove that the formula below 
(where I I denotes concatenation of lists) defines a step refinement from B to the automaton A of 



Example 8.1 



buffer = buff er2 I I bufferl 

It is also routine to check that this formula together with the norm on states of B defined by 

if bufferl ~= {} A buffer2 = {} then 1 else 

defines a normed forward simulation from A to B. 

We will now show that, under some reasonable (sufficient but certainly not necessary) assump- 
tions, it is in fact decidable whether a given predicate/expression indeed corresponds to a step 
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refinement or normed forward simulation. Assume that automaton A is described using state 
variables x, initial condition ipo and, for each action name a, a transition predicate <p a . Likewise, 
assume that automaton B is described using state variables y, initial condition ipo and, for each 
action name a, a transition predicate ip a . Assume further that each action name a of A is also an 
action name of B, and that a has the same parameters in both A and B. Write P a for the list of 
parameters of a. We require that P T = 0. 

Suppose that we want to check whether a formula p = 8 A y = e denotes a step refinement. 
This is equivalent to proving validity of the following formula: 

A <Po A p Vo 

Aa VaAO ^ 9' 
Aa^r faApAp' => 

A ApAp' ip T Vy = y' 

In this formula, the first conjunct asserts that the function is defined for start states of A; the 
second conjunct that start states of A are mapped onto start states of B; the third conjunct that 
if the function is defined for the source of a transition then it is also defined for the target state 
of a transition; and the two final conjuncts encode the transfer condition. Thus checking whether 
a partial function is a step refinement from A to B is decidable if the partial function as well as 
A and B can all be expressed within a fragment of C for which tautology checking is decidable. 

Next suppose that we want to check whether a formula p together with norm expressions n a , 
for each action name a, denotes a normed forward simulation from A to B. In order to turn this 
into a decidable question, we have to make some additional assumptions about the specification 
of B. We assume that B has finitely many start statesf], which are listed explicitly, i.e., we require 
that the initial condition ipo is of the form 

- \Jy = 4 (3) 

ielo 

where Iq is a finite index set and, for each i, e is a list of closed terms. In addition we assume 
that in any state and for any given value of the action parameters, only finitely many transitions 
are possible in B, which are listed explicitly. Formally we require that, for each action type a, 
transition predicate tp a is of the form 

1>a = \/(xiAy> = 4) (4) 

iei a 

where I a is a finite index set and, for each i, x\ i s a formula in F(Y U {P a }) and e l Q is a list of 
expressions in E(Y U {P a })- Basically, xl, gives the precondition of the i-th instance of transition 
a and y' = e l a specifies the effect of taking it. Both assumption (||) and (^) are satisfied by most 
automaton specifications that one encounters in practice. In particular, the assumptions hold for 



the channels specified in Examples 8.1 and 8.1. Only specifications that involve a nondeterministic 



choice that is not a priori bounded fall outside of our format. An example of this, described by 



Sogaard- Andersen et al. |SAGG + 93 , is a FIFO channel in which a crash action may result in 
the loss of an arbitrary subset of the messages contained in a buffer. Under assumptions (||) and 
(|J), we can eliminate the existential quantifiers that occur in the definition of a normed forward 
simulation, and checking the conditions in this definition becomes equivalent to proving validity 
of the following formula: 

<Po =>• V Pl e o/$ 

tela 



2 This assumption can be relaxed if we assume that the value of certain state variables of B is fully determined 
by p and the state of A: for those state variables the initial value can be left unspecified. 
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A«#r VaAp => \f (Xa ^ p'fijy'Y) v\/(XrA pH/y\ A n a [4/y\ < n a ) 
A ^Ap ^ p'[y/y>] V \J (Xt A p'&/y')) V \f A p[ef/$ A n T [ef < n r ) 



If this formula can be expressed within a fragment of C for which tautology checking is decidable 
then it is decidable whether p together with expressions n a constitutes a normed forward simula- 
tion. It is easy to see that a similar result can also be obtained for normed history variables. Thus 
far, however, we have not been able to come up with plausible syntactic restrictions, applicable in 
practical cases, that ensure decidability of normed backward simulations and/or normed prophecy 
relations. It is for instance not clear how one can eliminate the existential quantifier in the formula 
that asserts that in a normed backward simulation for each state of A there exists a related state 
of B. We think this constitutes an interesting area for future research. 

Our decidability results for step refinements and normed forward simulations do not carry over 
to the refinements and forward simulations as described, for instance, by Lynch and Vaandrager 



| LV9E ]. In order to see this, let A be a system with two states, an initial and a final one, and a 
single transition labeled halt from the initial to the final state. Let B be a system that simulates 
the n-th Turing machine such that each computation step of the Turing machine corresponds 
with a r-move, and that moves via a /ia^-action to a designated final state if and only if the 
computation of the Turing machine terminates. The function that maps the initial state of A to 
the initial state of B and the final state of A to the final state of B is a weak refinement iff the 
n-th Turing machine halts. It is straightforward to specify A, B and the function from states of 
A to states of B in a decidable logic. Hence it is undecidable whether a given function is a weak 
refinement, even in a setting where the underlying logic is decidable. 



9 Reachability 

For the sake of simplicity, all definitions of simulations and refinements so far have been presented 
without any mention of reachability or invariants. However, in practical verifications it is almost 
always the case that first some invariants (properties that hold for all reachable states) are es- 
tablished for the lower- level and/or higher- level specification. These invariants are then used in 
proving the step correspondence. In this section we show how to integrate reachability concerns 
into the simulation definitions. More specifically, we present adapted versions of step refinements, 
normed forward simulations and normed backward simulations which include reachability con- 
cerns, and discuss their relationship with the original definitions. For examples of the use of these 
adapted definitions and their formalization in PVS, we refer to our earlier work ]GriOO| . 

An adapted step refinement from A to B consists of a partial function r : states(A) — > states(B) 
satisfying the following two conditions: 

1. If s G start(A) then s G domain(r) and r(s) G start(B). 

2. If s — t A s G domain(r) A reachable{A 1 s) A reachable(B 1 r(s)) then t G domain(r) and 

(a) r(s) — r{t) A a — r, or 

(b) r(s)~^ B r(t). 

Clause reachable(A, s) in condition (2) allows us to reuse invariants that have previously been 
established for lower-level specification A, whereas clause reachable(B, r(s)) in condition (2) makes 
it possible to reuse known invariants of higher-level specification B. The adapted definition can 



easily be seen as a special case of the original definition in Section 3.1: if r is an adapted step 
refinement then the restriction r' of r defined by 

s G domain(r') = s G domain(r) A reachable (A, s) A reachable (B,r(s)), 

is a regular step refinement. Conversely, any regular step refinement trivially satisfies the condi- 
tions of the adapted version. 
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An adapted normed forward simulation from A to B consists of a relation / C states(A) x 
states(B) and a function n : steps(A) x states(B) — > S 1 , for some well-founded set 5, such that: 

1. If s E start(A) then f[s] n start(B) ^ 0. 

2. Ifs— A it G /[s] A reachable (A, s) A reachable (B,u) then 

(a) u E /[i] A a = r, or 

(b) 3v or 

(c) 3i> E /[s] : u — v A n(s — > <, w) < n(s — » i, ti). 

Again, the clause reachable(A, s) in condition (2) allows us to reuse invariants that have previously 
been established for A, whereas clause reachable (B,u) in condition (2) permits reuse of invariants 
of B. And again the adapted definition can easily been seen as a special case of the original 
definition (in Section Q): if (/, n) is an adapted normed forward simulation then the pair (g,n), 
where g = /PI (reachable(A) x reachable (B)), is a regular normed forward simulation. Conversely, 
any regular normed forward simulation trivially is an adapted normed forward simulation. 

An adapted normed backward simulation from A to B consists of a relation b C states (A) x 
states(B), a predicate Q C states{B), and a function n : (s£eps(^4) U start(A)) x states(B) — > 5, 
for some well-founded set 5, such that: 

1. If s E start(A) hue b[s] A then 

(a) it E start(B), or 

(b) 3w E b[s] : v — u A n(s,v) < n(s,u) A Q(v). 

2. If t— s A 16 b[s] A reachable(A,t) A Q(it) then 

(a) it E A a = r, or 

(b) 3v E 6[t] : v u A Q(«), or 

(c) 3v E 6[s] : v — ^b u A n(t -^-» s, w) < n(f s, u) A 

3. If reachable(A, s) then 3w E 6[s] : Q(u). 

Clause reachable(A,t) in condition (2) allows us to reuse invariants that have previously been 
established for A, and clause Q(u) in condition (2) permits reuse of invariants of B. Note that by 
a trivial inductive argument a backward simulation can never relate a reachable state of A to a 
non-reachable state of B. Thus we can safely restrict the range of any backward simulation by all 
invariants proven for B. To this end predicate Q has been included in the definition of the adapted 
normed backward simulation, even though strictly speaking (1) Q need not be an invariant, and 
(2) Q can always be eliminated by restricting the range of b. Once more the adapted definition 
is a special case of the original definition (in Section |J): if (b, n) is an adapted normed backward 
simulation then (b, n) is also a regular normed backward simulation from the automaton A' , that 
restricts A to its reachable states, to the automaton B' , that restricts B to the states in Q. 
Conversely, any regular normed backward simulation trivially is an adapted normed backward 
simulation with Q = states(B). 

We leave it up to the reader to work out adapted versions of the normed history and prophecy 
relations. 
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